search.noResults

search.searching

note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
MEMBER FEATURE


Get locked in to new data rules


Five top tips to help ensure your business is ready for GDPR. By James Twine (pictured), Partner Solicitor at Wolferstans


Whether you have been readying your business with military precision (unlikely) since the General Data Protection Regulations (GDPR) was first adopted in April 2016, putting it off until after Christmas (very likely) or burying your head in the proverbial sand, the fact the GDPR is coming cannot have escaped your attention. Like me, I expect you are being


bombarded with emails and offers of support from so-called GDPR consultancy experts and then you open this magazine and here it is again – but this time it’s even worse, it’s from a lawyer! Well fear not, this is not a sales pitch (well not entirely) and I am certainly not going to be warning you that unless you have an all singing and dancing Privacy Notice that the ICO are going to hit you with a fine for €20m. Do you need to do more than


update your Data Protection Policy and Privacy Notice? Yes. Should you be panicking, frantically deleting everything you can, introducing policies left, right and centre, fearing fines and worrying that your business will grind to a halt because of the crippling and restrictive impact of GDPR? No. By way of brief background, the


General Data Protection Regulation (GDPR) comes into effect from 25 May 2018 and it replaces the Data Protection Act 1998 (DPA). While most businesses are understandably seeing the introduction of the regulations as a huge inconvenience, and at the risk of alienating the entire readership, it’s not all bad. The DPA emerged from an EU


Directive issued in 1995 and clearly that is not sufficient to reflect and protect the needs of individuals 23 years down the line. In 1995, Austria, Sweden and Finland joined the EU, Nick Leeson took down Barings Bank, Ajax won the Champions League, the Sony PlayStation was released in the US


18 Chamber Profile March/April 2018


and Take That released Back For Good (hopefully something for everyone in there). Of perhaps more relevance, the


World Wide Web had only been available to the general public for four years, Google was still three years from creation and we were over 10 years away from the release of the first iPhone. The point is, the current legislation is out of date. As alluded to above, what the


GDPR is looking to achieve is well intentioned. We live in a world with the risk of identity theft, ransomware and those annoying pre-recorded messages telling us we have been involved in an accident or that we have a claim for mis-sold PPI. The GDPR is looking to protect


individuals and businesses from these threats. It can be used as an opportunity for that long overdue spring clean of filing cabinets and folders, a chance to review your customer and target databases, and it should give you that push you need to ensure that your systems and processes are secure and fit for purpose in what is now a digital age. The essence of what the GDPR is


really looking to achieve is a change of culture. Updating your Privacy Notices, completing your data audit and ensuring you have valid consent for marketing are all steps in the right direction, but what good is that if you/your employees are still leaving documents containing personal data on their desk overnight? Or if within your organisation


you are holding personal data belonging to individuals who do not know you exist? We should be moving from a


culture of “just in case” to “why am I holding this data?” Under the GDPR, you are obliged to review the data you hold, get rid of it if it is no longer required, and implement appropriate but proportionate measures to protect personal data. So where to start?


MY TOP TIPS


TIP 1: Acceptance The GDPR is coming, there is no doubt about it, it will be here by 25 May 2018 and all businesses in Devon are going to be affected by it.


TIP 2: Understand the six core principles The GDPR sets out six core principles of data protection that all organisations processing personal data must comply with:


Lawfulness, fairness and transparency You will only be permitted to process personal data for one of six lawful reasons. Furthermore, all processing must be undertaken in a fair and transparent manner.


Purpose limitation Personal data can only be collected for specified, explicit and legitimate purposes.


Data minimisation The personal data you hold must be limited to what is necessary for the purposes for which it is processed.


Accuracy All personal data must be accurate and as up to date as possible.


Storage limitation Personal data should not be retained for longer than is necessary.


Security You must ensure that you have appropriate security to protect the personal data you process.


TIP 3: Your data audit This is the big one. Like all of the jobs we put off, whether that is clearing out the garden shed or the troublesome but non-urgent matter at work, once you get started, it is not ever as bad as it first seemed. The big job, in terms of man hours, is your data audit or data mapping


exercise. Put simply, if you do not know what data you hold, you cannot expect to comply with the GDPR. As a rule of thumb, you should be able to identify the 5 W’s when it comes to all personal data held by your organisation –Who, Where, What, When and Why.


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32